ICMP tunnel
An ICMP tunnel [1] (also known as ICMPTX) establishes a covert connection between two remote computers (a client and proxy), using ICMP echo requests and reply packets. An example of this technique is tunneling complete TCP traffic over ping requests and replies.
Technical details
ICMP tunneling works by injecting arbitrary data into an echo packet sent to a remote computer. The remote computer replies in the same manner, injecting an answer into another ICMP packet and sending it back. The client performs all communication using ICMP echo request packets, while the proxy uses echo reply packets.
In theory, it is possible to have the proxy use echo request packets (which makes implementation much easier), but these packets are not necessarily forwarded to the client, as the client could be behind a translated address (NAT). This bidirectional data flow can be abstracted with an ordinary serial line.
This vulnerability exists because RFC 792, which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets.
Uses
ICMP tunneling can be used to bypass firewalls rules through obfuscation of the actual traffic. Depending on the implementation of the ICMP tunneling software, this type of connection can also be categorized as an encrypted communication channel between two computers. Without proper deep packet inspection or log review, network administrators will not be able to detect this type of traffic through their network.[2]
Mitigation
Although the only way to prevent this type of tunneling is to block ICMP traffic altogether, this is not realistic for a production or real-world environment. One method for mitigation of this type of attack is to only allow fixed sized ICMP packets through firewalls to virtually eliminate this type of behavior.[3]
See also
References
- ^ Daniel Stødle. "Ping Tunnel: For those times when everything else is blocked".
- ^ http://protocol.korea.ac.kr/publication/Covert%20Channel%20Detection%20in%20the%20ICMP%20Payload%20Using%20Support%20Vector%20Machine.pdf
- ^ http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.61.5798&rep=rep1&type=pdf
External links
- http://blog.brunogarcia.com/2012/03/icmp-for-stealth-transport-of-data.html ICMP tunnel with C# source code
- http://sourceforge.net/projects/itun Simple ICMP tunnel
- http://www.cs.uit.no/~daniels/PingTunnel/
- http://www.bluebitter.de
- http://www.pdproxy.com/ VPN that use ICMP tunnel
- http://icmpshell.sourceforge.net/ a telnet-like protocol using only ICMP
- http://droidvpn.com/ an android app that can tunnel IP over ICMP
- ICMP Crafting [1] by Stuart Thomas
- Malacious ICMP Tunneling : Defense Against the Vulnerability [2] by Abhishek Singh
- RFC 792, Internet Control Message Protocol
- Using the ICMP tunneling tool Ping Tunnel
- Project Loki" Article on ping tunneling in Phrack
- http://IcmpTunnel.com